-
Notifications
You must be signed in to change notification settings - Fork 706
/
rbac_fluxv2.yaml
58 lines (57 loc) · 2.5 KB
/
rbac_fluxv2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.packaging.flux.enabled }}
{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
{{- if .Values.rbac.create -}}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: "kubeapps:controller:kubeapps-apis-fluxv2-plugin"
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: kubeappsapis
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: ["helmrepositories"]
verbs: ["get", "list", "watch"]
# needed by fluxv2 plug-in to check whether flux CRDs have been installed
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list"]
# Temp hack to avoid
# Failed to read secret for repo due to: rpc error: code = PermissionDenied desc = Forbidden
# to get the secret 'helm-podinfo' due to 'secrets "helm-podinfo" is forbidden:
# User "system:serviceaccount:kubeapps:kubeapps-internal-kubeappsapis" cannot get resource
# "secrets" in API group "" in the namespace "default"'
# see discussion in https://github.com/vmware-tanzu/kubeapps/pull/4932#issuecomment-1161243049
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: "kubeapps:controller:kubeapps-apis-fluxv2-plugin"
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: kubeappsapis
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "kubeapps:controller:kubeapps-apis-fluxv2-plugin"
subjects:
- kind: ServiceAccount
name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}
{{- end }}